[SecurityRatty] tag: requires

Best practices for Microsoft Exchange 2007 deployment

Mon, 18 Aug 2008 20:00:00 +0000

Deployment of Microsoft Exchange 2007 requires a comprehensive understanding of the factors affecting the implementation. Learn how to handle hardware requirements, server roles and placement, high availability, fault tolerance and disaster recovery decisions for Exchange deployment.

A Complex Event = Sum (Events) + Situational Knowledge

Sat, 16 Aug 2008 05:11:34 +0000

Sometimes we read some opinions about CEP where folks opine that ”complex event processing” is really about processing “complex events” and not about “complex” “event processing”. The truth be told, processing “complex events” requires “complex” “event processing” so there is really no difference between the two ways of expressing CEP.

You can not process complex events in some very simple way and expect to get accurate results. You need knowledge, represented by one or more situational models, to process complex events.

Some folks, like to say that a “complex event” is simply an event which is an aggregation of two more more event objects. If you follow this (flawed) logic, then counting integers is complex event processing; because 1 plus 1 is 2, and 2 is an aggregation of 1 and 1, so 2 is a complex event (not!).

Since we know that counting is not a complex processing operation, then some folks would say that you can process complex events with very simple operations because you are processing complex events , in the case adding 1 to the previous number (counting), enriching an event object.

This is simply nonsense.

The logic flaw is that the basic definition of a “complex event” (used by many people) is wrong. A complex event is not simply an event object with two more more events as sub-components.

A complex event is when two event objects are combined (processed) to form a complex object with a higher degree of inference, or situational knowledge. One plus one equals more than two in complex event processing, because the combination of event objects requires knowledge (e.g. a situational model).

A Complex Event = Sum (EventsObjects) + Situational Knowledge

Let there be no mistake about it. Complex event processing is the complex processing of complex events. You cannot accurately process complex events with simple event processing models.

The simple processing of complex events is not CEP, it is simple event processing (event track-and-trace, simple event object enrichment, simple event object aggregation, and so forth).

MBTA Hack - Is it really this easy?

Fri, 15 Aug 2008 09:19:29 +0000

A lot of the focus of the MBTA vs MIT case has been discussion of the CharlieCards. These are MiFare classic cards which have been known to be broken earlier this year. There is also a paper disposable card called the CharlieTicket that uses a magnetic stripe. The MIT students presentation states that these are cloneable and forgeable using a $150 magnetic stripe reader/writer.

From the Confidential Memo Prepared for the MBTA which was publicly disclosed by the MBTA is court filing:

This seems to break all the rules of integrity of sensitive data storage. How could someone store money on a magnetic stripe in 2008 and not store an identifier that references the account in a central database?

The tickets do have a unique identifier generated when the card is initially purchased so a fraud detection system could be in place or is planned. But this would require tracking the value on the ticket or the usage of the ticket centrally so it isn’t clear why the value is stored on the card in the first place.

There are so many question about the security of this public system. Fraud costs the Massachusetts taxpayer money and refitting an insecure, ill-designed system costs the Massachusetts taxpayer money. [Disclosure: I am a Massachusetts taxpayer.]

It should be a requirement that the current system or the (hopefully) upgraded system be tested by an independent organization that specializes in cryptosystems. If the independent testing uncovers vulnerabilities, they need to be fixed before the system is fielded. Then the system should be retested to verify the fixes. Once the system is deemed secure by an independent organization, a summary of the test document should be published for public inspection. It should include the types of testing conducted and the results.

The public trust requires inspection of taxpayer funded projects to make sure they meet acceptible standards and vendors held responsible for deficiencies. Projects that use computers and software should not get a free pass. It will be interesting to see if the CharlieTicket system is ever held up to public scrutiny.

MBTA Hack: Is It Really This Easy?

Fri, 15 Aug 2008 09:19:29 +0000

From the Confidential Memo Prepared for the MBTA which was publicly disclosed by the MBTA is court filing:

Successful application lifecycle management: Setting the foundation

Thu, 14 Aug 2008 16:23:06 +0000

Successful application lifecycle management (ALM) initiatives don't just happen. Adopting an integrated approach to managing the lifecycle of software applications requires a careful, step-by-step process. Start by implementing these five practices in order to set your foundation.

Oracle Database 11g Release 1: Transparent Solutions for Security and Compliance

Thu, 14 Aug 2008 09:00:00 +0000

(Source: Oracle) The continued emergence of new regulations worldwide combined with the increasingly sophisticated nature of information theft requires strong data security. Oracle Database 11g Release 1 provides the industry's most advanced data security capabilities with security solutions that work transparently with existing applications while addressing mandatory requirements found in regulations.

A Dark Knight For Zango?

Wed, 13 Aug 2008 14:49:36 +0000

Here's a site - movietvonline(dot)com - that requires you to install Zango in order to view the content.

Click to Enlarge

Nothing unusual there, though I did think the owners of the website were pushing things a little, perhaps, to ask you to install something to view content you could view for free on the official website.

Anyway.

Turns out I was somewhat wrong, because they're not asking you to download Zango in order to watch trailers:

They want you to agree to install Zango in order to view whole movies, some streamed on the movietvonline website from other sources, others in the form of broken up downloads hosted on file-downloading sites.

Here's a shot of what appears to be a badly made camcorder (complete with people talking and scrunching up paper in the background) streamed on the website:

Clearly, the Joker isn't asking Batman "Why so serious" - he's asking him why the camcorder rip is so seriously bad. In fact, the whole site appears to be nothing more than a mass repository of dubiously acquired movie copies:

Click to Enlarge

...Holy Pirated Content, Batman!

7 Online Blunders That Threaten Your Identity

Mon, 11 Aug 2008 09:26:52 +0000

#7 - 'Shopping Online the Same Way You Do in Stores' -- Online shopping requires special precautions because the risks are different than in a walk-in store: You can't always be sure who you're doing business with. You must disclose more personal information, such as your address, to the online retailer....

VoIP service selection: MPLS, VPLS or Metro Ethernet?

Sun, 10 Aug 2008 19:30:03 +0000

Creating secure, reliable VoIP connections over a multi-site enterprise network requires knowledge of your specific infrastructure. Multi-Protocol Label Switching (MPLS), Virtual Private LAN Service (VPLS) and Metropolitan Ethernet (Metro Ethernet) all deliver connectivity with QoS, but determining which one will best serve your VoIP network requires a solid understanding of the features each provides.

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.